nixos grub: trustedBoot: introduce safety check that TPM is available

2015-10-05 13:45:20 +02:00 · 2015-10-05 13:45:20 +02:00 · 7a8980193d
parent 5b800ea05e
commit 7a8980193d
1 changed files with 13 additions and 2 deletions
--- a/nixos/modules/system/boot/loader/grub/grub.nix
+++ b/nixos/modules/system/boot/loader/grub/grub.nix
@ -378,6 +378,17 @@ in
        '';
      };

+      systemHasTPM = mkOption {
+        default = "";
+        example = "YES_TPM_is_activated";
+        type = types.string;
+        description = ''
+          Assertion that the target system has an activated TPM. It is a safety
+          check before allowing the activation of 'enableTrustedBoot'. TrustedBoot
+          WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
+        '';
+      };
+
    };

  };
@ -453,8 +464,8 @@ in
          message = "Trusted GRUB does not have ZFS support";
        }
        {
-          assertion = !cfg.enableTrustedBoot;
-          message = "Trusted GRUB can break your system. Remove assertion if you want to test trustedGRUB nevertheless.";
+          assertion = !cfg.enableTrustedBoot || cfg.systemHasTPM == "YES_TPM_is_activated";
+          message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'.";
        }
      ] ++ flip concatMap cfg.mirroredBoots (args: [
        {